Problem with imgburn package

[gep13]

@mikecole we received a report about one of your packages:

I downloaded the file using Chocolatey. Right after installing MBAM AV engine reported Adware Fusin.Core. Virustoral.com reports 67 AV engine hits.

Is this something that you can help with? Given the high number of detections for the file, we may need to look to remove this package from the repository if there is nothing that can be done.

I did notice the pinned comment from Rob here: https://chocolatey.org/packages/imgburn/2.5.8.20170708#comment-3780419867 but I wanted to check to see if things had changed.

[mikecole]

Not that I am aware of. This has always been a problem package. I would vote for removal.

…

On Fri, Oct 9, 2020 at 1:18 AM Gary Ewan Park ***@***.***> wrote: @mikecole <https://github.com/mikecole> we received a report about one of your packages: I downloaded the file using Chocolatey. Right after installing MBAM AV engine reported Adware Fusin.Core. Virustoral.com reports 67 AV engine hits. Is this something that you can help with? Given the high number of detections for the file, we may need to look to remove this package from the repository if there is nothing that can be done. I did notice the pinned comment from Rob here: https://chocolatey.org/packages/imgburn/2.5.8.20170708#comment-3780419867 but I wanted to check to see if things had changed. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#129>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAI4X26XW3DVS5QS75HCBGTSJ2TMVANCNFSM4SJVB3OA> .

[pauby]

Can we look to use mirrors for this as suggested in the comment @gep13 linked to?

[mikecole]

There is a MajorGeeks mirror, but it appears they use sessions/expiring download URLs. Is there a recommended way of handling this other than scripting a call to their intermediate URL to get the expiring URL?

…

On Mon, Oct 12, 2020 at 3:11 AM Paul Broadwith ***@***.***> wrote: Can we look to use mirrors for this as suggested in the comment @gep13 <https://github.com/gep13> linked to? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#129 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAI4X265WUJMGWJKUXZFZMLSKK2ZRANCNFSM4SJVB3OA> .

[pauby]

@AdmiringWorm may be able to help here as he has some experience using headers in requests for downloads.

[AdmiringWorm]

@pauby @mikecole I don't think just using headers in the request would help in the case of using Major Geeks as a mirror.

From the looks of it, it must be scripted inside the package to get the session URL during the installation.

[pauby]

@AdmiringWorm Are there are any packages, that you're aware of, that does this?

[AdmiringWorm]

None that comes to mind, unfortunately.

Maybe @mkevenaar, @RedBaron2 or @chtof are aware of a any.

[RedBaron2]

@mikecole
The software has not had an update since 2013, and as many people mentioned in the imgburn/majorgeeks forum/disqus. Most new systems don't come with CD/DVD drives for even using the software.

@pauby
I'm not a legal expert. The use of MajorGeeks as a mirror could create a usage conflict with Chocolatey (the company). We would not want to have another issue like the FossHub issue from 3 years ago.

[pauby]

@RedBaron2 Can you elaborate on all of that as I'm unsure of it?

[AdmiringWorm]

@pauby I assume he is referring to: https://github.com/chocolatey/package-validator/wiki/ScriptsDoNotDownloadFromFossHub

[mikecole]

@gep13 I'd like to request that we remove this package from choco. Due to its long history with malware, its limited usefulness today, and the unclear path forward, I just don't think it's feasible to maintain it.

[TheCakeIsNaOH]

I've taken a closer look at this, and it actually seems to be alright now.

The currently newest approved version is 2.5.8.20170708. That has a checksum starting with D7DEA28, and has a high virustotal count of of 40/69 (currently)

The version currently under moderation is 2.5.8.20210426. That has a checksum starting with 49AA061, and a low virus count of 2/67 (currently).

The binary with 49AA061 also what majorgeeks offers for download, and they are offering clean version, without open candy.

Thus, it appears like the author's site is now offering the version of the binary previously only available at majorgeeks.

Therefore, my suggestion is to go ahead and approve version 2.5.8.20210426, and then unlist all older version of the package.

[jkirk]

Any progress on this? 2.5.8.20210426 downloads the file directly from imgburn.com, see: 1d5641d

Virus Total shows a score of 0:

• https://www.virustotal.com/gui/url/c83540371c3c7c415784ab969c74d59166338464261d89ed123d079c3613e35f
• https://www.virustotal.com/gui/file/49aa06eaffe431f05687109fee25f66781abbe1108f3f8ca78c79bdec8753420

The only problem I see is that the verification tests failed: https://gist.github.com/choco-bot/c48938534358fcb879da695814dc6ecb

Can we help to fix this?

Thx for maintaining ImgBurn! ❤️

[mikecole]

I just re-listed it. I am unable to trigger a re-run on the virus scanner or verification tests, so we'd need somebody like @TheCakeIsNaOH to reconcile that part of it. Thanks!

[pauby]

@mikecole Package Verifier / Package Scanner don't need to be re-run.

[mikecole]

@pauby I was trying to reset this message:

[pauby]

To do that, we need to exempt the package, run the services and then potentially (if it passes) approve it again.

My suggestion would be to leave this as is unless there is a reason not to do so.

[mikecole]

@pauby My only concern with that is the warning IMO makes the package seem dangerous to the end user, when it perhaps isn't.